Tuesday, May 31, 2016

PHP: Knowing the Basics

PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

PHP has the following features:[1]
  • PHP code may be embedded into HTML code
  • PHP code is usually processed by a PHP interpreter 
    • PHP interpreter is implemented as a module in the web server or as a Common Gateway Interface (CGI) executable. 
    • The web server combines the results of the interpreted and executed PHP code, which may be any type of data, including images, with the generated web page. 
  • PHP code may also be executed with a command-line interface (CLI) 
    • Which can be used to implement standalone graphical applications.

Pros and Cons


Based on an article posted in 2010, here are the pros and cons described by 8 experts: [2]

Pros
  • Ubiquity and ease to use
    • With PHP, you have the freedom of choosing an operating system and a web server.
  • An excellent tool for disciplined developers
    • It stays close to its C roots while removing some of the unnecessary pain points like memory management, pointers and the compile cycle. 
    • The OOP implementation is simple, elegant and easier to read than its peers. 
    • The Java mantra of "complexity at any cost" is nowhere to be found; concise method names are used throughout. 
  • Good documentation 
  • Healthy PHP community
    • PHP Planet is a great resource for and from PHP community members

Cons
  • One of PHP's biggest strengths is also one of its limitations
    • Hard to maintain codes written by other people
      • PHP is very flexible in general; there are no less than 30 ways to accomplish the same task.
      • Especially when code standards are not consistent and best practices aren't followed
    • Lots of bad PHP in the world
      • The low entry barrier means that there is a lot of bad PHP in the world
      • The readily available resources online can be great and terrible at the same time
        • For example, junior developers can quickly pick up insecure PHP codes from the Internet and adapt them in their projects
    • Too much choice (time can be wasted searching for quality codes)
      • Developers have too much choice when it comes to selecting a library or framework to work with, and the information available is often biased and unreliable so a lot of time can be wasted searching for quality.

PHP Composer


If you have ever written anything in PHP before, you have probably found that it feels like you have to keep re-inventing the wheel anytime you want to do a common task such as User Authentication, Database Management or Request Routing. PHP now has a dozen of mature frameworks[10,11]
that have already solved all of these problems.  PHP Composer is a tool to make it easier to cherry pick the bits that you needed from each framework.

To summarize, PHP Composer is
  • A dependency manager for PHP
    • Help you to install packages on a project-by-project basis

References

  1. What can PHP do?
  2. 8 Experts Break Down the Pros and Cons of Coding With PHP
  3. HipHop
  4. PhpUnit
  5. Joind.in
    • Is a good example of a PHP app
  6. StatusNet
    • Is an open-source microblogging platform
  7. PHPDoc
  8. Facebook
    • Best PHP application dealing with scalability
  9. What is PHP Composer?
  10. The Best PHP Framework for 2015: SitePoint Survey Results
  11. 10 PHP Frameworks For Developers – Best Of
  12. PHP Extension and Application Repository (PEAR)
    • Is a repository of PHP software code to promote the re-use of code that performs common functions (founded by Stig S. Bakken in 1999)
  13. PHPClasses.org
    • Is a service created in 1999 as a means of distributing freely available programming classes of objects written in PHP

Friday, April 22, 2016

Security Considerations: Enabling/Disabling Ping /Traceroute for Your Network

There are two Linux tools (i.e., Ping and Traceroute) common for monitoring network connections. However, because of cycle attacks, most systems have been hardened to disable them in hope of staving off attacks and the surveillance of network mapping tools.

In this article, we will demonstrate how to secure your network by using two approaches:
  • Uses IP Filters
    • Use filters to prevent attacks from crossing the firewall
  • Use NAT (Network Address Translation)
    • Define the name/address mappings for trusted nodes in your secure network

Ping and Traceroute


The main difference between Ping and Traceroute commands is that
  • Ping
    • Is a quick and easy way to tell you if the destination server is online and estimates how long it takes to send and receive data to the destination
  • Traceroute
    • Tells you the exact route you take to reach the server from your computer and how long each hop takes

Ping

Ping generates an ICMP echo request message and expects to receive an echo reply message in response. Echo request is a relatively safe message, but any of the ICMP messages can be used by an outsider in order to gain some knowledge of your network or to directly attack your system. Also, like every protocol that you allow, ICMP messages can be used to overwhelm your systems in a denial of service attack ( i.e., ICMP ping responses are used as a covert-channel). Unlike the higher layer protocols, such as TCP or UDP, there is not a source port nor a destination port, just the message type and code.[7]

Traceroute (or tracert on Windows)

Traceroute is useful in allowing network administrators to track the path that an IP packet is following in order to reach its final destination. It works by sending UDP packets from one high port (port number > 1023) to another high port. It selects a free UDP Port and starts to send packets to different high ports. If you see a series of UDP packets within this port range (i.e., 33434 - 33600), then it is probably indicative of traceroute.

In order to discover the path, it plays some tricks with the TTL value of the packet (this field must be decremented by routers everytime they forward the packet). First it sends a UDP packet with TTL=1, so the first router gets the packet, decrements the TTL field, and then discards the packet because the TTL reached 0. After discarding the packet, the router sends an ICMP TTL exceeded message to the sender, so the sender learns the address of the first hop. Then it uses a TTL value of two, and it gets the second router address. It keeps getting router addresses with TTL exceeded messages until the packet reaches the destination host.

IP Filters


Firewall implementation normally use IP filters to control which packets are passed and which are blocked on each side.[1] The information it uses to decide whether to block or pass a packet is largely contained in the packet headers.

Some of the filtering criteria are:
  • The source and destination IP address
  • The direction of flow
  • The IP protocol (ICMP, TCP, UDP or other protocols)
  • The interface where the packet is detected (secure or nonsecure)

Considerations of ICMP Filtering

ICMP is a protocol designed to communicate errors and information between hosts that are processing IP datagrams. In other words, ICMP messages are the "control messages" for TCP/IP. There are many different types of ICMP messages. For example, type 8 ICM messages are echo requests and type 0 ICM messages are echo replies.

The echo (a,k.a. echo request) message is used to check if a host is up or down. When a host receives the request, it sends back an echo reply message. These messages are usually generated by a ping command, but may also be generated by a network management station that is polling the nodes of a network.

The simplest approach to secure ICMP protocol is to block all ICMP messages from crossing the firewall. However, the problem is that ICMP are the "control messages" for TCP/IP. If you block all incoming ICMP, then you may break some essential networking. So, you want to be more selective about which ICMP messages you want to allow.

The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

How to Protect against Ping?


To counter the surveillance from ping commands, you may consider to:[1]
  • Permit the outgoing echo request and incoming echo reply
  • Deny the incoming echo request and outgoing echo reply.
You could consider enabling this settings to some key hosts, such as the router of your network provider.

Another consideration is Host unreachable and Destination Unreachable packets (type=3/code=1). Allowing these to come in through your firewall will allow connections to timeout faster, but they can also be used as a denial of service attack (by disconnecting clients from servers).

How to Protect against Traceroute?


Using traceroute, we know it involves several UDP packets flowing from the sender to the destination, The danger of exposing your traceroute service to nonsecure network is that an attacker can use it to find out which hosts are the routers in your network. This tool manipulates the TTL option of a UDP packet, in order to receive an ICMP TTL exceeded message in response . Blocking the outgoing TTL messages (type=11/code=0) will help you hide your network structure.

To counter any attacks from traceroute command, the simplest approach is blocking TTL exceeded messages (type=11/code=0) from going from the secure network to the nonsecure network. In summary, here are what you want to do:[1]

Traceroute from the Firewall:
  • This configuration can be safely permitted. In order to do this, you must send high UDP packets and accept ICMP TTL (type=11/code=0) and port unreachable messages (type=3/code=3).

Traceroute from Internet to the Firewall:
  • Block the outgoing TTL messages (type=11/code=0)
  • In addition, you also want to block the outgoing ICMP port unreachable messages (type=3/code=3) because it would be useful to an attacker as a fast way to discover which services you are providing.

To find out which high port is used by your traceroute service, do:

#cat /etc/services
traceroute 33434/tcp
traceroute 33434/udp

Securing Network by Using NAT


Network address translation (NAT) can be utilized to secure your network by
  1. Providing access to nonsecure network name/address mappings for users in the secure network
  2. Hiding the secure network names and addresses from users outside the secure network
  3. Providing name/address mapping for resources that you want to reveal (usually servers and gateways
Here is how the address translation is done, For each,
  • Outgoing IP packet
    • The source address is checked by the NAT configuration rules.
      • If a rule matches the source address, the address is translated to an official address from the predefined address pool.
  • Incoming packet
    • The destination address is checked if it is used by NAT.
      • When this is true the address is translated to the original unofficial address.

Note that only TCP and UDP packets are translated by NAT. The ICMP protocol is not supported by NAT. For example, pinging to the NAT addresses does not work, because ping uses the ICMP protocol.

Allowing Ping/Traceroute from Firewall to Internet


Users will constantly ask for the ability to ping and traceroute machines on the Internet. Most firewall adminsitrators will eventually give in to these demands. Nobody really needs to ping/traceroute, but they really want to.

To protect your network, basically you will create filter rules that will route packets from a secure network to the Internet and back. NAT will take care of the address translation of the secure addresses. Normally, NAT translation will occur for the outgoing packet after the packet has gone through both packet filters (secure and non-secure). This means that you should never mention NAT addresses in the filter rules.

References

  1. Protect and Survive Using IBM Firewall 3.1 for AIX (pdf)
  2. differences between ping and traceroute
  3. Default TCP Port
  4. Ping Blocking: How to do and how to break?
  5. tracert (Windows; traceroute in Linux)
  6. Firewall Forensics (What am I seeing?)
  7. ICMP Types and Codes
    • There are many different types of ICMP messages.
  8. ICMP (RFC 792)
  9. IP Fragmentation: How to Avoid It?
  10. Docker Container Networks: All Things Considered (Xml and More)